SunFlash 79.05: SunScreen and Java Questions & Answers
From a marketing perspective, since SunScreen is targeted towards all customers, not just current Sun customers, it was felt that "a black box controlled by a PC running Windows" would be easier to explain and sell and would not require a detailed discussion of UNIX. Additionally, since the Administration Station is required to be a dedicated system, it was felt that customers would be more receptive to a lower cost machine such as a PC, being a dedicated, single-purpose- only system. Finally, ICG will be offering an end-user solution and due to its
[Note the export related stuff, and the 40-bit RC2 & RC4. But also note "An International version will be available early in 1996". --gnu] ============================================================================== SunFlash 79.05 SunScreen and Java Questions & Answers July 1995 John J. McLaughlin, Editor/Publisher flash@flashback.com ============================================================================== SunScreen is a Product Line comprised of enabling products/solutions for doing business transactions on the Internet and other public networks. The first product offering in the SunScreen Product Line is the SPF-100, a completely new network security device. SPF-100 is a dedicated, turnkey solution designed to be network undetectable. Shipped pre-configured, SPF- 100 is based on state-of-the-art packet screening integrated with encryption to provide private and authenticated communications on public networks. Several questions about the Java language and the HotJava browser are also addressed. ------------------------------------------------------------------------------- The SunScreen sits on network boundaries, either between two LAN's or between a LAN and a WAN. It can be used to achieve compartmentalization within internal networks or to use the Internet or other public networks as a virtual, secure, private network (VSPN). The SPF-100 is being targeted towards enterprise customers who require the highest levels of network security and guaranteed privacy. The market segments who have expressed the most interest in the SunScreen SPF-100 include Telecommunications, Finance, Health Care and the Government. Due to restrictions imposed on the export of encryption products, the SunScreen SPF-100 will initially be released only in the U.S.A.. and Canada. An International version of the product is scheduled for early 1996. What does SunScreen look like? The SunScreen consists of two physical components: SPF-100, the security gateway product is based on a headless SPARC-based system running an embedded OS and shipped standard with five ethernet ports (one on-board and four through a Quad Ethernet Card). Four of the ports are used for screening packets and have no IP address. Since the embedded OS does not include any user programs, network services, etc., it cannot be logged into, nor can any applications be run on it. The SPF-100 is managed by the SunScreen Administration Station, an Intel 486-based system running MS-DOS and Windows 3.1. Multiple SPF-100's may be remotely managed by a single SunScreen Administration Station, or a single SPF-100 can be managed by multiple SunScreen Administration Stations. The SPF-100 uses the fifth ethernet port to establish an encrypted connection to the SunScreen Administration Station. The SunScreen Administration Station is the only device that can be used for monitoring, configuring and managing the SPF-100. A SunScreen is set up to be the point of contact between two administrative domains such as a private and a public network. Two or more of the Quad Ethernet ports can be used to bridge the private and public sides. The on- board Lance Ethernet interface links the SPF-100 to the SunScreen Administration Station through an authenticated and encrypted connection. Functionally, the SPF-100 includes an IP level packet screen and a facility to encrypt and decrypt data transmissions. The SPF-100 packet screen software runs as an integral part of the SunScreen operating environment. It tracks the state of session oriented packet transactions (e.g. TCP) as well as sessionless packet transactions (e.g., UDP). Maintaining state allows the SunScreen to provide additional protection from connection stealing. Effectively, the SPF-100 is invisible to any network entity other than certified Administration Stations. Interfaces that participate in the packet screening activity have no IP address and do not respond to any network probing; they simply pass packets on to the screen. Using the SunScreen Administrative GUI, an administrator can specify packet screening rules, specify encryption/decryption criteria, configure and implement a security policy and monitor the SPF-100 actions on incident network traffic. All transactions between associated Administrative Stations and SPF-100's are encrypted, adding security to administrative activity. What is a packet screen? How is a SunScreen packet screen set up? A packet screen is a software filter that is imposed on a network data packet as it passes from a public network to a private network. A packet screen acts on a data packet according to a set of rules. Generally speaking, rules are used to discriminate certain packets and to initiate certain actions on those packets. SunScreen packet screens are specified by an administrator at the Administration Station. A packet screen rule is defined by the contents of three discriminator fields and two actor fields. Two of the discriminator fields are the packet source and destination address. These may be addresses of networks, subnets, hosts, or groups of hosts. The third discriminator field identifies the packet's Internet service type, e.g. telnet or ftp. This really equates to a socket port number, so privately defined services can be discriminated as well. SunScreen also does port coloring to ensure that the source address is consistent with the ethernet interface. The two actor fields determine what action is taken if the discriminating conditions select an incoming packet. One actor simply determines if the packet passes or fails. The other determines what explicit action the packet triggers. An example of a rule would be to discriminate any packet originating at IP address 192.9.185.28, heading for IP address 129.146.10.14, and using the telnet service. Any packet that meets these criteria is allowed to pass through the screen but it is logged as an event. In SunScreen, the default screening rule is to fail any packet that is not explicitly allowed to pass. What encryption alternatives are available in SunScreen? SunScreen uses a combination of shared key and public key encryption to provide data privacy and authentication. Privacy means that only the intended recipient will be able to decipher the message; authentication means that there is a high level of confidence that the identity of the message originator is valid and that the message has not been modified in transmission. The following encryption software is available on SunScreen: shared key: 40-bit RC2 and RC4, 56-bit DES public key: 1024-bit RSA, 1024-bit Diffie-Hellman Shared key encryption and public key encryption both have advantages and disadvantages. Shared key encryption is desirable because it ensures confidence in privacy and yet is moderate in its demands for processing power during data transformation. It is flawed because both sender and recipient need access to the same key; having to distribute a key compromises its secrecy. In public key encryption, two keys are used - a private key and a public key. The two keys are generated in the same operation. One key can be thought of as the inverse of the other, though there is no obvious relationship between the two. Any data stream that is encrypted using one key can be decrypted by the other, but only by the other. The owner of the private key can distribute the public key at will, but need never (and should never) distribute the private key. Therefore, public key encryption solves the twin problems of privacy and authentication. Consider the case of a holder of a public key encrypting a message to be sent to the owner of its private pair. This is a private transmission because nobody but the private key owner can decrypt the message. Now consider the case of the of the owner of the private key sending an encrypted message to a public key pair holder. If this message decrypts successfully, then it must have come from the private key owner. It is authenticated. A minor disadvantage to public key encryption is that each originator needs his own private key and multiple public keys in order to exchange private messages. A major disadvantage is that public key cryptography demands a lot of processing power during data transformations. SunScreen combines these methods to assure private and authenticated message transmission across public networks at reasonable performance. Why was a PC chosen as the Administration Station platform? popularity considered the PC a good end-user prototype. A SPARC-based desktop Administration Station is under consideration What is Sun ICG? ICG is the Internet Commerce Group, a Sun business whose charter is to produce enabling technologies and solutions for doing business over the Internet and other public networks. ICG will be developing the SunScreen Product Line, and its first product offering is the SPF-100 What is packet tunneling? Packet tunneling refers to the capability of encapsulating one packet in another packet. Together with encryption, tunneling provides data privacy as well as network topology hiding. Network packets traveling between two private networks are encrypted and encapsulated in a wrapper packet at the exit point of one network and unwrapped and decrypted at the entry point of the other and then passed along to their destination host. What is packet vectoring? Packet vectoring is a capability which enables a packet to be "copied" and diverted to other areas in addition to its intended route, for further processing. Packet vectoring enables distributed processing of packet streams for billing, metering, auditing and intrusion detection purposes. SunScreen includes the capability to do packet vectoring but currently does not have an application which would enable it to be used by customers. What is SKIP? SKIP, an acronym for Simple Key Management Internet Protocol, provides a simple means of secure communications between two SunScreens across the Internet. SKIP was invented by Ashar Aziz of Sun Microsystems, Inc. and is currently being considered by the Internet Engineering Task Force (IETF) as an Internet service standard. It is a sessionless service that acts as the entry and exit point for secure communications between two private networks. When invoked as a service, SKIP encrypts a client packet stream as described above. Using packet tunneling, client source and destination encrypted, hiding private network topologies from the public. This encrypted packet stream is then forwarded to the destination network, where it is decrypted by another SunScreen supporting the SKIP service. Once inside the destination private network, the packet stream continues on its way to the destination host. Details on the SKIP specification can be found at http://skip.incog.com/ Does SunScreen support application relays? SunScreen does not support application relays. There is no way to load applications on the SPF-100 embedded operating system. However SunScreen application relays are legitimate, useful adjuncts to a secure network. They can easily be integrated into a network access barrier created by a SunScreen. One or more of the Quad Ethernet interfaces on the SunScreen can be dedicated to a network supporting systems with application relays. Using the SunScreen packet filtering feature, packets appropriate for an application relay would be directed to the host running that application relay, returned to the SunScreen, and passed on (or failed) to their destination. What products compete with SunScreen? SunScreen is a high-end network security solution. It is unique not only due to its stealth design and integrated encryption technology, but also because it includes services which makes it a truly complete security solution. Other security products on the market today are either implemented only in software, lack encryption capabilities or are run layered on top of existing, multi purpose operating systems. Currently popular security products include Eagle/Raptor, TIS Gauntlet, CheckPoint FireWall-1, DEC SEAL, ANS Interlock and Livingston Enterprises Firewall IRX. Who are likely customers for SunScreen ? SunScreen is targeted at commercial, enterprise, highly networked customers. Commercial enterprises which are critically dependent on networks for their business functioning are the primary candidates for this product. Such customer include telecommunications companies, financial institutions, health care organizations and the Government How does SunScreen differ from FireWall-1 ? SunScreen can be regarded as a functional superset of FireWall-1 . It is a highly sophisticated network security solution targeted at complex, commercial networks. FireWall-1 restricts its operation to packet screening. SunScreen provides support for message encryption/decryption. In addition, SunScreen is invisible from the network, rendering it more difficult to detect and invade; SunScreen SPF-100 can only interface to a qualified Administration Station using an encrypted link, making it very difficult to probe or to modify the operating environment. SunScreen provides a higher level of security at a higher price. Users need to evaluate their security needs. FireWall-1 may provide adequate security for the basic security needs of corporation. What restriction does the US Government impose on using cryptographic methods available with SunScreen? All modes of encryption included with SunScreen are permitted for all transactions within the U.S.A.. and Canada. Shipping encryption products including DES, 1024 bit Diffie-Hellman, and 1024 bit RSA outside the U.S.A.. and Canada requires an export license. An export license for the use of an encryption product by a foreign based entity controlled by a U.S.A.. company, has a strong prospect for approval What special security issues does interaction with the WWW present? Communication with the WWW and other Internet services such as Archie and Gopher present no special problem for SunScreen security. Packet screens can easily be configured to regulate traffic from/to these services using standard Administration Station tools. Is there any kind of security certification for this class of product? Typically, security classification such as B1 , C2 , etc. issued by the NSA, entails certification of a complete operation environment, including hardware, OS, applications, etc. Sun has designed the product to be independent of a multi purpose operating system. The embedded OS included in the SPF-100, has been stripped off all network services, user programs, etc. and can be used only for executing the SunScreen software. However, with the recognition that some sort of security classification will be required for SunScreen, Sun is working with the proper authorities to define appropriate classifications for this new class of security. ------------------------------------------------------------------------------ HotJava Security Answers First some bulk information on Java security, there are three concepts here and you have to keep them separate: Safety, Security, and Trust. They apply to both the language itself (Java) and the browser written in the language (HotJava). Java - Security Within The Language: Safety: The Java language is safe because the language has no intrinsic semantics for modifying the trusted computing base. In simple terms this means that there is no way for pure Java code to modify its own stack, write on memory it hasn't allocated, or execute methods (invoke functions) it wasn't explicitly given access too. The mechanisms used to create this safety are the language design (no semantics), the virtual machine design (sufficient semantic information is retained in a 'binary' to verify that the language imposed limits are not violated), and un-forgeable pointers (no casting). Further memory reclamation is done by a garbage collector which eliminates hanging pointer problems. Array indexing and pointer casting is checked at runtime for validity. Security: The Java language is secure because, as an object oriented language the only way to do anything is to invoke a method on a class, and the only way to instantiate a class is with the 'new' operator. This operator is tied into a system class of type ClassLoader which enforces arbitrary security policies on classes that it loads. Class loaders are thus the arbiters of the capabilities granted a class they have instantiated. Trust: The Java language will supply a class loader capable of verifying a digital signature on a class prior to loading that class. This allows different capabilities to be assigned to classes of differing origin. Further, classes will be able to query the class loader for this information and thus be able determine if they are being called by a trusted class. (this is required to export cryptography in the Java runtime, the crypto classes have to know who is calling them so as to enforce US mandated restrictions on their operation.) HotJava - Security Within The Browser: Safety: Safety in the HotJava browser revolves around primarily the control of applets. Applets are loaded using an anal class loader called the NetClassLoader. This class loader can control access to system services. Further the implementation of certain classes (such as File) recognize when they are being invoked from a class that was loaded from the network class loader and they enforce additional restrictions. For example, applets can only open files in two directories on UNIX systems: /tmp/hotjava and ~/.hotjava (this can be modified with the READPATH and WRITEPATH environment var's) Further when files are accessed in these directories a confirmation is raised in the form of a dialog with the user. There is no way for an applet to get around this restriction. To open a file it _has_ to use the File class, the network class loader won't allow it to load a new version of the File class, and the file class has to have some bound in C code to do its work and the applet can't bring over its own native code. Its stuck. Security: The browser keeps track of what the applets are doing. Under some conditions it modifies the capabilities available to an applet after certain events. For example, the network class loader keeps track of whether or not the applet came from "within" the firewall (direct access to host) or "outside" the firewall (through the firewall). It also keeps track of any files or sockets the applet opens. If the applet opens any socket or file that is bound "inside" the firewall (any file, and host inside the firewall) it is prevented from ever opening a connection to a host "outside" the firewall. Trust: The browser is "trusted" code, and the source is available to assist in developing trust of the code. Further it will be possible to sign all valid browser classes (package browser.*) with a browser key, preventing from any subversion of the browser after it has reached trusted status. (I envision it working something like: Certify the browser through inspection or what ever, build the classes, sign the classes, invoke the browser with the public key of the signature. Destroy the secret key.) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Press announcements and other information about Sun Microsystems are available on the Internet via the World Wide Web. URL http://www.sun.com SunFlash - A Full-Text On Demand Newsletter for Users of Sun Computers John J. McLaughlin - Publisher & Editor - flash@FlashBack.COM Tim Wells - Associate Editor - tim@FlashBack.COM Mark Wood - Distribution Manager - flashadm@FlashBack.COM Subscriptions to majordomo@FlashBack.COM Article Requests to flashback@FlashBack.COM Article Submissions to flash@FlashBack.COM For more information send email to flashback@FlashBack.COM with article names or numbers in the Subject line: 9001 - general introduction index - for an index of the most recent 150 articles fullindex - for an index of 800+ articles popular - for a summary of the popular article for each month 73.00 1176 - For the January 1995 Table of Contents 74.00 - For the February 1995 Table of Contents 75.00 1221 - For the March 1995 Table of Contents 76.00 1262 - For the April 1995 Table of Contents 77.00 1286 - For the May 1995 Table of Contents 78.00 1344 - For the June 1995 Table of Contents ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
participants (1)
-
John Gilmore